1. Field of the Invention
The present invention generally relates to information network security. More specifically, the present invention relates to user-friendly systems for configuring wireless devices for access to restricted wireless networks.
2. Description of Related Art
A variety of user authentication and security measures for wireless networks have been proposed by a number of professional organizations. These professional organizations include the Institute of Electrical and Electronics Engineers (IEEE) 802.11 Working Group, the Wi-Fi Alliance, and the Internet Engineering Task Force (IETF). Various other groups such as wireless equipment vendors offer their own proprietary wireless security protocols. Depending on the particular source, implementing these protocols has generally been complicated, difficult to maintain, and requires a high level of technical knowledge by those implementing a particular protocol.
In early wireless networks (e.g., IEEE 802.11 or Wi-Fi), security was achieved by wired equivalent privacy (WEP) systems. Deploying a WEP system requires only that a network administrator define a WEP key set at an access point or access device. Any user can access a WEP-secured wireless network by having the same WEP key set manually configured on that user's client station (e.g., a laptop or mobile device). The wireless data communication between the client station and the access point would be encrypted by a defined encryption algorithm utilizing the shared WEP key set.
While WEP may work to prevent casual trespassers from accessing the wireless network, WEP would not likely withstand more serious security attacks. WEP keys can be easily discovered, for example, by using publicly available software. Further, WEP does not work to protect network users from each other since all users share the same key. Because of these flaws in WEP-based security systems, alternative security measures evolved. These new measures generally required that wireless network users first be authenticated in some manner and that a key set then be derived and used for wireless traffic encryption. These proposed authentication measures can generally be categorized into two groups: Extensible Authentication Protocol (EAP) and Pre-Shared Key (PSK).
The EAP group of security measures generally follows the IEEE 802.1x standard, which utilizes the extensible authentication protocol. EAP-based security systems enable mutual authentication between an authentication server and its users. The authentication server may reside in an access point, base station or an external device. Generally, the authentication server provides for a derived pair-wise master key to be shared between an access point and the user client station. That pair-wise master key may be used to derive a key set, which may be used for data encryption.
A major obstacle in implementing EAP or IEEE 802.1x-based security systems is their complexity. Deploying such systems requires a high level of technical expertise, as well as ongoing technical support for users. Most EAP-based systems, for example, require security certificates to be installed onto authentication servers. Depending on the exact requirements of the EAP-based system, the client stations may also need to be granted the authority to root certificate updates and/or have the security certificate pre-installed before access to the wireless network can be granted.
In contrast, PSK security systems are based on a secret shared between and stored at both the client station and the access point. The secret may be, for example, a long bit stream, such as a passphrase, a password, a hexadecimal string, or the like. Used by a client station and the access point to authenticate each other, the secret may also be used to generate an encryption key set.
A major shortcoming of PSK-based systems is that the secret has to be manually entered onto client stations and shared by all the client stations. Once the shared secret becomes known to unauthorized personnel, the security of the entire network is compromised. This may pose a problem in organizations that need to provide network access to temporary employees or that have a highly mobile workforce. To maintain the security of a PSK-based system, the secret must be changed on all client stations whenever a person with knowledge of the secret departs from the organization or is no longer authorized to access the network.
Another complication is that each organization may have specialized needs with respect to security for its wireless networks. For example, different departments within an organization may require different protocols. Some individuals, however, may require access to multiple networks, which requires that their wireless device be configured with multiple protocols. Further, some individuals may require access to particular networks but may not be authorized to access those networks. As such, many commercial organizations (e.g., small- and medium-sized businesses) have difficulties implementing security systems for wireless networks because of their lack of expertise and/or full-time professional technical support.
For example, a network administrator may have the requisite technical knowledge to implement such security systems but may have to configure every wireless client station individually. This is in addition to instructing each user on how to configure their wireless device to conform to certain wireless connection parameters. Further, various technical complications may arise for users and network administrator personnel including different wireless devices and interfaces, different requirements for access, and different restrictions on access. Such wireless devices may include headless devices. As used herein, a headless device may be inclusive of any type of device that lacks user interface elements. For example, a headless device may lack a monitor, graphical user interface, keyboard or keypad (physical or touchscreen), or mouse. Such lack of user interface elements may make entering data more difficult or time-intensive. Such difficulties or time-intensiveness increase with the number of characters that may need to be entered, as well as the number of characters (e.g., capitalized and lower-case text, numbers, punctuation marks) available.
Notwithstanding the many measures available for securing a wireless network, implementing any one of these measures may be complicated, difficult, and/or require extensive maintenance. There is, therefore, a need in the art for improved systems and methods that provide for restricted access to secured wireless networks that are user-friendly and easily maintained without requiring a high degree of technical expertise and/or ongoing technical support.